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Protocol for enj -g^rinrr. ^-i c:;;:^Hl..lag_j^^/or eras-ixLO — i 
scrambled data access rights and corresponding acc gss^ 

control module 

The protocols for entering, disabling and/or erasing 
scrambled data access rights are, at the present time, 
crucially important for providing the most fluid and 
most flexible service provision management possible in 
the field of scrambled data access control. 

This is particularly the case in the field of pay 
television, a field in which the services or proposed 
service provisions tend to cover the most diverse 
services and provisions. 



In particular, in the aforementioned field, the 
periodic renewal of a subscriber's subscriptions 
entails adding, entering, new data characterizing the 
extension or- new subscription taken out by the 
20 subscrib.er. 

Given the independence between the management of the 
access rights subscribed and allocated to each 
subscriber and the access control proper, since access 

25 right management is handled via management messages, 
known as EMM messages, capable of conveying the access 
rights, and access control is handled by the 
transmission of access control messages, called ECM 
messages, comprising an encrypted access control word, 

30 serving as a service key and access criteria, such 
renewal involves entering new data into the memory of 
the security processor linked to the decoder or the 
access control module. 



35 



Since the access control module commonly comprises a 
bank card type microprocessor card, the latter 's memory 
resources are necessarily limited- 
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For this reason, the aforementioned procedure for 
entering rights is accompanied by a function for 
erasing expired rights. However, the sole purpose of 
5 the latter function is to free up memory space in the 
access control module or the card, to avoid, 
ultimately, filling it to saturation. 

Such an entry/erasure process, cannot provide, with all 
10 the necessary flexibility and security, fluid 
management of the access rights entered in the access 
control module or the card allocated to each 
subscriber. 

15 Such is the case, for example, following a payment 
lapse on the part of the subscriber, or even in the 
context of flexible offerings when the subscriber 
changes the offering to which he or she has subscribed. 

20 Considering the security criterion, given the somewhat 
crude nature of the current erasure procedure, any 
unscrupulous subscriber would be able to filter and 
intercept the erasure messages designed to reduce or 
control the latter 's access rights. 

25 

Moreover, a procedure for storing right entry EMM 
messages with a view to submitting the latter illegally 
to a replay procedure cannot be excluded. 

30 Finally, the current right entry and/or erasure 
procedures by EMM messages can cause these operations 
to malfunction if an appropriate sequencing is not 
respected. 

35 The object of the present invention is to implement a 
protocol for entering, disabling and/or erasing 
scrambled data access rights, on the one hand to 
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provide for an extremely flexible and fluid entered 
access rights control and management and, .on the other 
hand, to significantly improve the level of security 
offered. 

In particular, an object of the present invention is to 
implement a protocol for entering, disabling and/or 
erasing scrambled data access rights, in which each 
entry, disabling and/or erasure operation is made 
conditional on a prior reference, such as an action 
date . 

Another object of the present invention is also to 
implement a protocol for entering, disabling and/or 
erasing scrambled data access rights, in which the 
access right entry, disabling and/or erasure operations 
can be encoded, to improve security and prevent 
corresponding intercepted command messages from being 
replayed - 

Another object of the present invention is, finally, to 
implement an access control module enabling the entry, 
in the latter 's programmable memory, of access rights 
and electronic purses for implementing the protocol 
that is the object of the present invention. 

The protocol for entering, disabling and/or erasing 
scrambled data access rights, the object of the 
invention, is implemented for scrambled data 
transmitted from a transmission center to at least one 
descrambling terminal, to which is linked an access 
control module equipped with a security processor. The 
access rights are entered in the access control module 
and the scrambled data is subjected to an access 
control by periodic transmission of access control 
messages, conveying access criteria and a cryptogram of 
a control word that is changed periodically and 
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encrypted using an operation key, then, in each 
security processor, conditionally upon verifying the 
true value of at least one entered access right against 
the access criteria, by decrypting the cryptogram of 
5 the control word using the operation key, then 
transmitting the restored control word to the 
descrambling terminal and descrambling the scrambled 
data using the latter. 

10 It is noteworthy in that it consists at least in 
forming any access right entered in the access control 
module as a set of independent variables and linked 
variables comprising at least, in addition to an access 
right identification variable, an entered access right 

15 action date variable and a status variable which can 
have one of three encoded values signifying access 
right enabled, access right disabled, access right 
erased, transmitting from the transmission center to 
each descrambling terminal and to the access control 

20 module linked to the latter at least one access right 
management message, this message comprising at least, 
in addition to an entered access right identification 
variable, an action date variable and a status 
assignment variable, the encoded value corresponding to 

25 an enabled access right, a disabled access right or an 
erased access right. 

On receipt of the access right management message, it 
consists, finally, at the access control module, in 

30 assigning the action date to the entered access right 
corresponding to the access right identification 
variable of the access right management message, and 
allocating the status assignment variable corresponding 
to an enabled access right, a disabled access right or 

35 an erased access right to the corresponding entered 
access right status variable. 
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The module controlling access to scrambled data 
transmitted from a transmission center to at least one 
descrambling terminal to which is linked this access 
control module, the object of the present invention, is 
5 noteworthy in that it comprises, entered in the memory 
of this access control module, at least one access 
right formed by a set of independent variables and of 
linked variables, this set of variables comprising at 
least, in addition to an entered access right 
10 identification variable and a validity dates variable, 
an entered access right action date variable and a 
status variable that can have one of three encoded 
values signifying access right enabled, access right 
disabled or access right erased. 

15 

The protocol and the access control module, the objects 
of the present invention, can be applied, not just in 
the point-to-multipoint transmission of scrambled data, 
in particular pay television, but also in- the point-to- 
20 point transmission of video image data or service 
execution data, in a network, according to the IP 
protocol for example. 

They will be better understood by reading the 
25 description and remarks concerning the drawings below, 
in which: 

- figure 1 represents, by way of " illustration, a 
general flow diagram of the steps for implementing 
the protocol that is the object of the present 

30 invention; 

- figure 2a represents, by way of illustration, a 
specific flow diagram of the steps for implementing 
the protocol that is the object of the present 
invention, in an operation to enter an enabled right, 

35 in the access control module allocated to a 

subscriber; 
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- figure 2b represents, by way of indication, a 
specific flow diagram of the steps for implementing 
the protocol that is the object of the present 
invention, in an operation to disable a right entered 

5 in the access control module allocated to a 

subscriber; 

- figure 2c represents, by way of illustration, a 
specific flow diagram of the steps for implementing 
the protocol that is the object of the present 

10 invention, in an operation to erase an entered access 
right, the erasure operation corresponding to a 
virtual erasure, given the fact that the physical 
erasure of this right is momentarily deferred; 

- figure 2d represents, by way of illustration, a 
15 specific flow diagram' of the introduction of a 

physical erasure of an entered access ■ right, 
conditional on a specific criterion, such as a time- 
oriented criterion, for example; 

- figures 3a and 3b represent an access control module 
20 according to the invention. 

A more detailed description of the protocol for 
entering, disabling and/or erasing scrambled data 
access rights, conforming to the object of the present 
25 invention, will now be given in conjunction with figure 
1 and the following figures - 

As a general rule, it should be remembered that the 
protocol, the object of the present invention, is used 
30 to manage the access rights to scrambled data 
transmitted from a transmission center to a plurality 
of descrambling terminals. Each terminal Tk has an 
associated access control module fitted with a security 
processor. 

35 

Conventionally, each access control module can comprise 
a microprocessor card containing the aforementioned 
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security processor, and secure memories for storing 
decryption keys and, finally, any authenticity check 
operation for example. Each access control module is 
fitted with a programmable non-volatile ' memory and 
5 scrambled data access rights are entered in the access 
control module, into the aforementioned programmable 
non-volatile memory. 

The scrambled data is subjected to an access control by 
10 periodic transmission of access control messages, known 
as ECM messages. These access control messages convey 
access criteria and a cryptogram of a control word that 
is changed periodically and encrypted using an 
operation key . 

15 

In each security processor, conditionally upon 
verifying the true value of at least one entered access 
right against the access criteria conveyed by the 
access control messages, the access control is 

20 performed by decrypting the cryptogram of the control 
word using the operation key, stored in the security 
processor's secured non-volatile memory, by 

transmitting the control word restored by the access 
control module to the descrambling terminal, then 

25 descrambling the scrambled data using the restored 
control word in the aforementioned descrambling 
terminal . 

In the context of an aforementioned scrambled data 
30 access control procedure, the protocol, the object of 
the present invention, is noteworthy in that it at 
least consists in forming and defining any access right 
entered in the access control module as a set of 
independent variables and linked variables. These 
35 variables comprise at least, in addition to an access 
right identification variable and a validity dates 
variable, an access right action date variable entered 
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in the access control module and a status variable that 
can have one of three encoded values, namely access 
right enabled, or access right disabled, or access 
right erased. 

5 

Referring to the aforementioned figure 1, the following 
conventions are used: 

- R_ID: access right identification variable; 

- V_D: validity dates variable; 

10 - AD_V: entered access right action date variable; 

- S_V: status variable that can have one of three 
encoded values, namely access right enabled, access 
right disabled, or access right erased. 

15 By way of non-limiting example, it is indicated that 
the three encoded values could correspond to: 

- S_V = 0 for a disabled right; 

- S_V = 1 for an enabled right; 

- S_V = 2 for an erased right. 

20 

Given the preceding considerations, it is naturally 
understood that the definition and formation of the 
access rights, as mentioned previously in the 
description, are essential to the implementation of the 
25 protocol that is the object of the present invention. 
This step is represented in step O of figure 1 and each 
access right AR can then correspond to the following 
syntax : 

30 AR = [V_D] R_ID [R_SID] AD_V S_V (1) 

Referring to the aforementioned relation, it is 
indicated that, in accordance with the specific 
encoding of the aforementioned access rights, any 
35 variable between square brackets is considered to be 
optional . 
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While the validity dates variable V_D is an independent 
variable, it can be made optional for specific encoding 
reasons, the absence of validity dates variable, for an 
entered access right, possibly corresponding to a 
particular value of this right for example. 

Conversely, the variable R_SID, a right sub- 
identification variable, is a variable linked to the 
access right identification variable R_ID. 

In these conditions, the presence of the independent 
access right identification R_ID, action date AD_V and 
status S_V variables is considered necessary for the 
implementation of the protocol that is the object of 
the present invention, the latter being mainly 
implemented for entered access rights and comprising, 
even though optionally, a validity date variable. 

Thus, referring to the above relation (1), it should be 
understood that for these variables: 

- V D: indicates a validity date interval, which can be 
fixed and represented by an access right start date 
and end date or rolling and defined then as a number 
of days, or by an expiry date. The validity interval 
can then be converted to a fixed value on first use 
for example. 

- R ID and R_SID: the aforementioned variables 
correspond to identifiers and sub-identifiers of the 
entered right and are, naturally, used to reference 
this right in the access criteria conveyed by the 
access control messages ECM, 

- AD_V: indicates the date on which an operation was 
performed on the entered right- More specifically, it 
is indicated that the aforementioned variable 
indicates either the date of entry of the right 
entered in the card when no operation has been 
performed on the latter or, on the contrary, the date 
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of execution, action date, of the last subsequent 
operation and, in particular, the date of updating, 
the date of disabling or even the date of erasure, as 
will be described later in- the description. 
5 - S_V: indicates the encoded value of the status 
variable. Referring to figure 1, it is indicated that 
this encoded variable can have the values 0, 1, 2 
mentioned previously or any other explicit or 
encrypted value for example. 

10 

Referring to figure 1, the step for forming and 
defining the access rights, as mentioned previously, is 
considered to be complete. 

15 Following the aforementioned step 0, the protocol, the 
object of the present invention, consists in a step A, 
in transmitting, from the transmission center to each 
descrambling terminal Tk and, naturally, to the access 
control module linked to the latter, at least one 

20 access rights management message denoted EXM message. 

This message comprises, as shown in figure 1, at least 
an entered access rights identification variable, this 
variable being denoted R_IDx, an action date variable 

25 denoted AD_Vx, this action date corresponding to the 
date of transmission of the management message, in 
other words the date of the management operation 
performed on the entered access right for . which the 
identification variable R_ID corresponds to the 

30 identification variable R_IDx contained in the 
management message, as will be explained below in the 
description. The message can, moreover, include a 
validity dates variable, denoted V_Dx- Finally, the 
management message EXM includes a status assignment 

35 variable denoted S_Vx formed by an encoded value 
corresponding to an enabled access right, a disabled 
access right or an erased access right. The variable 
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S_Vx can then take the values 0, 1, 7., as mentioned 
previously in the description. 

On receipt of the EXM management message in the access 
5 control module linked to the descrambling terminal, the 
protocol, the object of the invention, consists, in a 
step B, in assigning the action date to the entered 
access right corresponding to the access right 
identification variable in the access rights management 
10 message, then, in a step C, in allocating, to the 
status variable S_V of the entered access right, the 
status assignment variable S_Vx corresponding to an 
enabled access right, a disabled access right or an 
erased access right. 

15 

Regarding the implementation of step B, it is indicated 
that this step can be implemented by the use of a 
logical If . . - Then type command. 

20 In these conditions, the aforementioned step B, as 
represented in figure 1, can consist in comparing the 
value of the entered access right identification 
variable R_ID with the entered access rights 
identification variable contained in the EXM management 

25 message, in other words with the variable R_IDx by 
match comparison. The aforementioned match comparison 
can comprise a plurality of successive comparisons 
relating to the variables such as right sub- 
identification variable R_SID and validity dates 

30 variable, or, if appropriate, to any other variable. 

When this match is verified, then the action date 
variable AD_V is allocated, conditionally, the value of 
the action date variable AD_Vx in the EXM management 
35 message. The aforementioned condition consists in 
verifying the posteriority of the variable AD_Vx 
against the variable AD_V. Then, the status assignment 
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variable S_Vx contained in the EXM management message 
is allocated to the status variable of the entered 
access. This operation is carried out, in step C, by 
instantiating the right S_V status variable of the 
5 entered access right S_V represented by the equality: 

S_V = S_Vx 

A more detailed description of the implementation of 
10 the protocol that is the object of the present 
invention, in the context of operations to enter an 
enabled right, disable a right then erase an entered 
right, will now be given in conjunction with figures 2a 
to 2d. 

15 

For an operation to enter a defined access right in an 
access control module, the action date variable AD_Vx/ 
in the EXM management message, corresponds to a date of 
entry of this access right and the assignment variable 
20 S Vx is an encoded value corresponding to an enabled 
right, in other words to the encoded value S_Vx = 1- 

The operation proper to enter the access right consists 
in entering, into the access control module, and in 
25 particular into the latter 's non-volatile memory, a 
defined access right, the action date of which is that 
of the aforementioned entry date and for which the 
status variable is that of the status variable 
S_Vx = 1. 

30 

Referring to figure 2a, the entry operation begins with 
the receipt, at the descrambling terminal Tk, of the 
EXM message, in step Boa- 

35 After demultiplexing of the EXM message, the access 
control module then has the variables R_IDx, V_Dx, 
AD Vx, S Vx = 1 derived from the EXM message and the 
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variables R_ID, V_D, AD_V, S_V of the right entered in 
the access control module, if the right is actually 
entered. 

5 For the aforementioned entry operation, the protocol 
that is the object of the present invention can 
consist, as represented in figure 2a, in verifying, in 
a step Bia, the existence of a corresponding entered 
right. This test is denoted: 

10 

3 R_ID = R_IDx. 

This test is accompanied by a test to ensure that this 
right does not belong to the erased state, S_V ^2, in 
15 order to allow the entry operation to be executed for 
existing rights in the disabled state or the entered 
state, for the purpose of a re-entry operation 
concerning the latter. The test implemented in step Bia 
verifies the relation: 

20 

3 R_ID = R_IDx AND S_V ?^ 2. 

On a positive response to step Bia, the protocol that is 
the object of the invention can consist in verifying 

25 the posteriority nature of the action date variable 
corresponding to an entry date in relation to the 
corresponding access right action date. This operation 
can be carried out, in step B2a/ by comparing the 
superiority of the action date and the action date 

30 variable AD_Vx contained in the EXM message in relation 
to the entered right action date AD_V. 

On a negative response to the test of the 
aforementioned step B2a/ the entry operation is 
35 terminated by an end-of-entry step Bsa/ the operation to 
enter the right not being completed. 
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Contrary to this, on a positive response to the test of 
step Baa/ the latter is then followed by a step 
consisting in updating the action date variable of the 
corresponding access right based on the action date 
corresponding to an entry date. 

This operation is represented by the relation: 



AD_V = AD_Vx 

The update step 843 is then followed by the assignment 
step C consisting in assigning, to the identical access 
right status variable S_V, the encoded value 
corresponding to an enabled right, or S_Vx = 1. The 
access right entered previously in the access control 
module is then renewed or updated. 

The protocol that is the object of the present 
invention for an entry operation can, naturally, be 
implemented in respect of the execution of a first 
entry of a right into an access control module. 

In such a situation, there is no entered right 
corresponding to the access right identification 
variable in the EXM message, variable R_IDx, and the 
relation match comparison in the test carried out in 
step Bia is not verified. 

Consequently, on a negative response to the test of the 
aforementioned step, negative response to the 
verification of the relation 3 R_ID = R_IDx AND S_V # 2, 
the protocol that is the object of the invention 
consists, in addition, in performing an update by first 
entry of this access right for which the action date 
corresponds to the entry date. 
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This operation is represented, in figure 2a, by the 
access, on a negative response to the step Bia, to the 
update step AD_V = AD_Vx. 

5 This access can be carried out by assigning to the 
variable R_ID of the right for which entry is being 
performed, in step Bsa, the value R_IDx contained in the 
EXM .management message, then in step Bsa/ the validity 
dates variable V_Dx to the validity variable V_D. 

10 

The assignment operation, in step C, corresponds, in 
this case, to a first entry. 

Similarly, referring to figure 2a, for an entered 
15 access right for which the status assignment variable 
corresponds to a right that has been erased, but is 
still physically present, S_V = 2, this also consists 
on a negative response to test Bia^ advantageously, in 
performing a new entry of the right, steps Bsa^ Bsa and 
20 B4a. This entered access right is then assigned a status 
variable corresponding to an. enabled right, step C. 

A more detailed description of an operation to disable 
an access right entered in an access control module 
25 conforming to the protocol that is the object of the 
present invention will now be described in conjunction 
with figure 2b. 

In such a situation, the action date variable of the 
30 access rights management message corresponds to a 
disabling date and the status assignment variable S_Vx 
is the encoded value corresponding to a disabled right, 
namely the value zero in the example given previously 
in the description. 

35 

In these conditions, the operation to disable the right 
entered in the access control module consists in 
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assigning, to the status variable of the entered access 
right S_V, . the encoded value corresponding to a 
disabled access right, namely the encoded value 
S_Vx = 0 and, naturally, updating the action date of 
5 the entered access right based on the disabling date. 

To this end, as represented in figure 2b, the disabling 
operation begins with a step for receiving the EXM 
management message relating to this operation at the 
10 descrambling terminal Tk- 

In this step, referenced Bob in figure 2b, there are the 
access right identification variable R_IDx, validity 
date variable V_Dx, action date variable AD_Vx and 
15 status assignment variable S_Vx = 0 contained in the 
EXM message, and the right assignment variable R_ID, 
validity date variable V_D, action date variable AD_V 
and status variable S_V of the right entered in the 
access control module. 

20 

In these conditions, the protocol that is the object of 
the present invention can. consist, as represented in 
figure 2b, prior to the disabling operation proper, in 
verifying, in a step Bib, on the access control module, 
25 the existence of a corresponding entered access right. 
The test Bib is similar to the test Bia in figure la. 

Moreover, and in a non-limiting manner, this test 
operation can consist in verifying, as in test Bia in 
30 figure la, that the corresponding entered access right 
is an enabled or disabled access right on which the 
disabling operation must be performed . 

For this reason, the test performed in step Bib verifies 
35 the relation: 

3 R ID = R IDx AND S_V 2. 
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On a positive response to step Bib/ the latter can then 
be followed by a step Bab consisting in verifying the 
posteriority nature of the action date variable 
5* corresponding to a disabling date with respect to the 
. action date variable of the entered right. This 
operation is. carried out, in test step Bab/ according to ■ 
the relation: 

10 AD_Vx > AD_V. 

On a negative response to the aforementioned test Bab/ 
as represented in figure 2b/ a call to an end of 
disabling step Bsb can be made/ such an operation being 
15 used to introduce a security measure in the disabling 
operation proper. 

Contrary to this, on a positive response to the test 
performed in step Bab/ an action date update step is 
20 performed in step B4b/ this update operation verifying 
the same relation as the update step on entering an 
enabled right B4a in figure 2a. 

Step B4b is then followed by the disabling proper step C 
25 consisting in assigning the encoded value corresponding 

to a disabled right S_Vx = 0 to the status variable of - 
the entered access right S_V. 

Referring to figure 2b, the protocol that is the object 
30 of the present invention can in addition be implemented 
to disable an erased access right still present on the 
access control module/ S_V = 2. In such a case/ it 
consists, on a negative response to the aforementioned 
step Bib/ in performing the update of step B4b then the 
35 disabling operation in step C, S_V = S_Vx = 0. As in 
the case of figure 2a, the step B4b can then be 
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implemented following a step Bsb and a step Beb similar 

to the steps Bsa and Bea respectively in figure 2a. 

In the aforementioned situations, the protocol that is 
5 the object of the invention, consists in performing an 
update of the access right by entering an access right 
for which the action date corresponds to a disabling 
date. This entered access right is assigned a status 
variable, corresponding to a disabled access right. 

10 

The aforementioned operations are used to position^ or 
enter, a right in the disabled state to prevent its 
subsequent entry by means of a message with an earlier 
action date. 

15 

A more detailed description of an operation to erase an 
entered access right, implemented in accordance with 
the protocol that is the object of the present 
invention, will now be given in conjunction with 
20 figures 2c and 2d. 

An operation to erase an entered access right is, in 
these conditions, performed on the basis of an EXM 
message for which the status assignment variable 
25 S_Vx = 2 corresponds to an erased access right. 

In these conditions, as represented in figure 2c, the 
erasure operation begins, on a descrambling terminal 
Tjc, with the receipt of an EXM message and there are 
30 then the variables previously described in the 
description, for the entry or disabling operations, but 
with the status assignment variable S_Vx = 2. 

The erasure operation is performed for an access right 
35 in the access control module for which the status 
variable corresponds to an enabled right or a disabled 
right . 
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In these conditions, the step for receiving the EXM 
message, Boc^ is followed by a test step Bic consisting 
in verifying the existence on the access control module 
5 of a corresponding entered access right. The 
aforementioned test Bic is similar to the test Bia or Bib 
in figures 2a or 2b, and verifies the same relation . On 
a negative response to the test of step Bic, end-of- 
erasure step B2c is invoked. On a positive response to 

10 the test Bi^ the latter is followed by a step Bac to 
verify the posteriority of the action date variable of 
the management message AD_Vx, with respect to the 
action date variable of the entered right AD_V- This 
step is performed by comparing superiority according to 

15 the relation: 

AD_Vk > AD_V. 

On a negative response to the aforementioned test Bbc, 
20 the return to the call for end-of-erasure step B2c can 
be performed in conditions similar to those at the end 
of disabling of a. right described in conjunction with 
figure 2b. 

25 Contrary to this, on a positive response to the test of 
step Bsc, the erasure operation, according to the 
protocol that is the object of the present invention, 
can consist in the call to a step to update the action 
date of the entered right, 'step B^cf according to the 

30 relation: 

AD_V = AD__Vx. 

The aforementioned update step is then followed by the 
35 erasure step proper, in step C, to perform a virtual 
erasure of the entered access right. 
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According to a particularly advantageous embodiment of 
the protocol that is the object of the present 
invention, the virtual erasure step consists in an 
allocation, to the status variable of the entered right 
5 S_V, of the status assignment variable of the 
management message S_V corresponding to an erased 
access right, namely S_Vx = 2. 

The virtual erasure concept in fact covers the concept 
10 of maintaining the physical existence of the access 
right entered in the non-volatile memory of the access 
module, while, however, this right is made unusable 
simply by assigning the encoded value corresponding to 
an erased access right. 

15 

According to a particularly advantageous embodiment of 
the protocol that is the object of the present 
invention, the virtual erasure step of an entered 
access right can correspond to a total absence- of the 

20 possibility of . using this right, although the latter is 
still physically present in the non-volatile memory of 
the access control module including the latter. The 
erasure operation proper, in other words the physical 
erasure of any entered access right, can then be 

25 performed systematically, independently of the access 
control and of the access of the subscriber to the 
scrambled data corresponding to the access right 
concerned. 

30 In particular, as represented in figure 2d, the 
physical erasure of the access right previously 
submitted to a virtual erasure state can be either 
immediate or deferred. 



35 If appropriate, the execution of the physical erasure 
state can be conditional upon a specific criterion. 
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such as a time-oriented criterion, as will be described 
in greater detail in conjunction with figure 2d. 

Referring to the aforementioned figure, an entered 
5 access right is considered to be in the virtual erasure 
state, following the implementation of the protocol 
that is the object of the present invention, in 
accordance with the embodiment illustrated and 
described previously in the description, in conjunction 
10 with figure 2c. 

In this situation, an EXM message, with S_Vx = 2, has 
been received and the virtual erasure situation 
corresponds to the relation described previously in the 
15 description S__V = S_Vx = 2. The corresponding virtual 
erasure state is represented by the state Cod in 
figure 2d. 

The execution of the physical erasure proper of the 
20 entered right can then be subject to a test such as a 
time-oriented test, in step Cid- 

The aforementioned test can, as a non-limiting example, 
consist in comparing the action date variable of the 
25 EXM message, namely the variable AD_Vx, by a 
superiority comparison, with the end-of-validity date 
variable V_D of the entered right. 

On a positive response to the test Cid/ since the 
30 erasure action date is later than the validity date of 
the entered right, physical erasure is performed 
immediately by calling a corresponding step Csd- 

Contrary to this, on a negative response to the test 
35 Cid, since the erasure action date is earlier than the 
end-of-validity date V_D of the entered right, a 
deferred physical erasure step is called C2d- The 
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erasure is deferred as long as the action date AD_Vx of 
all successive EXM erasure messages is less than or 
equal to the end-of -validity date of the entered right. 
The maintaining of the deferred physical erasure is 
5 symbolized by the return to the test Cid- 

It is understood that, by implementing the 
aforementioned deferred erasure, it is possible to 
provide a systematic management of the physical erasure 
10 of the entered access rights while the latter, although 
still physically present on the card, are unusable by 
the subscriber whose corresponding entered right has 
been placed in a virtual erasure situation. 

15 A comparative example of implementation of erasure or 
deletion of a right, in accordance with the prior art, 
and then in accordance with the protocol that is the 
object of the present invention, will now be given 
below in the description in the case where it is 

20 assumed, for a given subscriber, that there is no 
access control module, in other words there is no card 
allocated to the latter in the descrambling terminal or 
decoder or, if appropriate, operation of the decoder is 
unavailable for a period of time defined with respect 

25 to the cyclic transmission of management messages, EMM 
messages in the case of the prior art, EXM messages in 
accordance with the protocol that is the object of the 
present invention. 

30 The example therefore considers the cyclic broadcasting 
of management messages of the EMM type in the case of 
prior art procedures and of the EXM type on 
implementation of the protocol that is the object of 
the present invention. 

35 

The example considers, according to table 1 relating to 
the prior art procedure, the transmission of a cycle of 
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EMM type management messages according to a first 
cycle, as represented in the table, while during the 
corresponding action dates, according to the cells of 
area A in the cycle 1 table, the access control module 
or the descrambling terminal is out of service- 
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Table 1 





Message type 


Action 
date 


Action on the card 


c 
y 

c 

1 

e 
1 


R_IDi entry 
EMM 


01/12/01 


Prior to 01/12/01 

Right entered R IDi 


R__IDi deletion 
EMM 


02/12/01 


Right erased R_IDi 


R_ID2 entry 
EMM 


12/12/01 


Right entered R_ID2 


R_ID3 entry 
EMM 


13/12/01 




R ID4 entry 
EMM 


12/12/01 




EMM .../... 


.../... 




C 

y 

c 

1 

e 
2 


R_ID5 entry 
EMM 


31/12/01 


Right entered R^IDs 


Right R_ID5 
deletion EMM 


01/01/02 


Right erased R_ID5 


R_ID6 entry 
EMM 


12/01/02 


Right entered R__ID6 


EMM .../... 






n 
C 

y 

c 

1 

e 
1 


R IDi entry 
EMM 


01/12/01 


Right entered R__IDi 


R_IDi deletion 
EMM 


02/12/01 


Right erased R_IDi 


R_ID2 entry 
EMM 


12/12/01 


Right already entered 


R_ID3 entry 
EMM 


13/12/01 


Right entered R_ID3 


R_ID4 entry 
EMM 


12/12/01 


Right entered R_ID4 


EMM ..,/... 







B 
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In the aforementioned table 1, it should be remembered 
that the action date designates the message 
transmission date, but that this message however 
includes no action date, unlike the EXM messages used 
5 to implement the protocol that is the object of the 
present invention . 

Cycle 1 is followed by a cycle 2 with different dates 
then, next, a plurality of cycles 1, one of the cycles 
10 being designated by n cycle 1. 

On transmission of the first cycle 1, any operation to 
enter a right or delete a right, in other words 
erasure, is performed except, naturally, with regard to 
15 the cells in area A in which the access control module, 
in other words the card and/or the descrambling 
terminal, is out of service. 

On transmission of a cycle 2, different from cycle 1, 
20 with respect to the identification variable of the 
entered access rights since the access control module 
and/or the terminal are/is in service, the 
corresponding operations are, in the same way, 
executed. 

25 

Contrary to this, on repetition of cycle 1, in other 
words in table 1, for the cells of the cycle denoted n 
cycle 1, cells appear corresponding to an area B, this 
area indicating that the transmitted right R_IDi 
30 successively entered and erased cannot effectively be 
established as such in the access control module, in 
other words in the card, because no control by action 
date is performed. 

35 While the procedure according to the prior art does not 
allow for non-reentry of erased rights to be 
controlled, table 2, relating to the implementation of 
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the protocol that is the object of the present 
invention, in a similar situation, reduces the cases in 
which the EXM management messages introduce 
malfunctions in the conditions below. 
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Table 2 





Message type 


Action 
date 


Right status on the 
card 


c 
y 

c 
1 
e 

1 


.../... 

R_IDi entry 


m /I 9 /m 


Kignt, enuerea 


R_IDi disabling 

IliAlYl 


02/12/Or 


Disabled 


R_ID2 entry 
EXM 


12/12/01 


Right entered 


R_ID3 entry 
EXM 


13/12/01 




R_ID4 entry 
EXM 


12/12/01 




Right R_ID4 
disabling EXM 


13/12/01 




EXM .../... 






C 

y 

c 

1 

2 


EXM 






R "i nht R T D,- 

disabling EXM 




ux s aijxeci 


EXM 


19/01 709 










n 

c 

y. 


R_IDi entry 


01/12/01 


Message disregarded 


R_IDi disabling 


02/12/01 


Message disregarded 


EXM 


1 2/12/01 


M^cQ^PTo /Hi Q T*o rra T"H o^S 
1. -1 c o o a y c ux o 1. c ^ ci J- 


c 

1 


R_ID3 entry 
EXM 


13/12/01 


Right entered 


e 


R_ID4 entry 
EXM 


12/12/01 


Right entered 


1 


Right R_ID4 

disabling EXM 


13/12/01 


Disabled 




EXM .../... 
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In these conditions, the processing rules in the access 
control module are as follows: 

- on disabling, the right is marked as disabled I; 

- a disabled right can be reactivated only 
5 conditionally: 

- if the action date, in other words the action date 
variable of the EXM message, is less than or equal to 
the action date of the entered right, the action of 

- the message is disregarded in the card i; 
10 - if the action date of the EXM message is greater than 
the action date of an entered right, the entered 
right is reupdated, in other words actually updated 
as disabled or erased. 

15 In table 2, as in table 1, the area A corresponds to a 
downtime or period of malfunction of the access control 
module and/or of the descrambling terminal for cycle 1. 

The areas I indicate that the entered right has been 
disabled ..by the disabling message, namely 
S_y-- =■ S^Vx "-^0■;'■- 
the■cells of . area ± refer to the situation according 
to which, if the action date of the EXM message is 
less than or equal to the action date of the entered 
but disabled right, the corresponding action is 
disregarded in the access control module. 

This shows the existence of a more flexible and more 
fluid processing and management of all the access 
30 rights entered in the access control modules. 

For the implementation of the protocol that is the 
object of the present invention, it is important, 
naturally, to have a descrambling terminal linked to a 
35 module controlling access to the scrambled data 
transmitted from a transmission center to the 
aforementioned descrambling terminal. 



20 



25 
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As represented in figure 3a, it is indicated that the 
access control module linked to the corresponding 
descrambling terminal comprises, entered in this access 
5 control module's memory, at least one access right 
formed by a set of independent variables and linked 
variables, this set comprising at least, in addition to 
an identification variable R_ID of the entered right, 
an entered access right action date variable AD_V and a 

10 status variable that can take one of the three encoded 
values mentioned previously in the description to 
represent an enabled access right, a disabled access 
right or even an erased access right. The access 
control module can, moreover, include a validity dates 

15 variable, V_D- 

As a general rule, it is indicated that the access 
control module can comprise a software element or a 
hardware element and, in particular, a virtual card to 
20 embody the aforementioned software element or a 
microprocessor card fitted with the security processor, 
as mentioned previously in the description. 

When the access control module is a software element, 
25 the latter can be located in the descrambling terminal, 
for example. In this case, as represented in figure 3a, 
the access right formed by the aforementioned set of 
independent variables and linked variables can then be 
stored in a permanent memory such as a hard disk, for 
30 example, not shown in the drawings, and systematically 
loaded into the working memory of the descrambling 
terminal, the working memory naturally being connected 
to the security processor CPU_S of the descrambling 
terminal . 

35 

When, contrary to this, the access control module 
comprises a microprocessor card fitted with a security 
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processor, as represented in figure 3b, this 
microprocessor card is also fitted with a secured non- 
volatile programmable memory linked to the security 
processor. In such a case, as represented in the 
5 aforementioned figure 3b, the access rights formed by a 
set of independent variables and linked variables are 
entered in the secured non-volatile programmable 
memory . 

10 It is understood, in particular, that, with a bus link 
to the card's input/output circuits, denoted I/O, the 
interchange of instructions from the descrambling 
terminal either to enter an access right or to disable 
an access right, or on the contrary to erase an access 

15 right from the programmable non-volatile memory, can be 
embodied by the aforementioned input/output circuits 
I/O under the control of the security processor CPU_S 
mentioned previously, 

20 Finally, referring to the same figure 3b, and in the 
more particular case of a scrambled data access control 
service, access to this data being granted subject to 
payment, such as, for example, in the case of a pay 
television service, the concept of access right formed 

25 by a set of independent variables and linked variables 
and defining the modes of access to the scrambled data 
covers the electronic purses allocated to the 
subscribing user holding the access control module. 

30 For this reason, figure 3b shows a representation of an 
electronic purse encoded in a way similar to that of an 
access right AR, the electronic purse possibly 
including, in the same way, as an example: 

- an electronic purse identification variable denoted 
35 Purse Id; 

- a validity dates variable V_D; 

- an electronic purse action date variable AD_V; 
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- a status variable S V. 
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Finally, an account units variable can be provided, 
denoted Purse Units. 

5 

It is indicated that the electronic purse 
identification variable can be linked to a linked 
variable denoted Purse Subid, this variable according 
to the preceding notation conventions relating to the 
10 access right AR being, for example, an optional 
variable. 

In these conditions, it is understood that, for a given 
electronic purse, referenced Purse Id, it is possible 
15 to define sub-purses, each defined by the Purse SubId 
va:riable, for specific applications and particular 
services - 

The same applies with respect to the Purse Units 
20 variable, to which can be linked an optional linked 
variable RE, according to the same conventions. The 
linked variable RE can designate a "carry" variable 
used to carry over the content of the electronic purse 
concerned or the credit balance of the latter to an 
25 electronic purse of the same type or to the same 
electronic purse with an identical identifier. 

In these conditions, and equally in the case of access 
rights AR, the encoding syntax of the electronic 
30 purses, similar to that of the access rights AR, takes 
the form: 

PU = Purse Id [Purse SubId] V_D AD_V S_V Purse Units [RE] . 



